Microsoft's Largest Ever Patch Release Lands With Two Zero-Days Already Under Attack

Microsoft has shipped its largest security update on record, over 600 fixes in one release, including two flaws already being exploited in live attacks against identity infrastructure and collaboration platforms. Here is what enterprise security teams need to prioritise first.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Illustration representing a record-breaking monthly software security update cycle with two vulnerabilities already under active exploitation.

Illustration representing a record-breaking monthly software security update cycle with two vulnerabilities already under active exploitation.

Microsoft has released its largest single monthly security update to date, addressing well over 600 vulnerabilities across its product line in one release, more than triple the volume it shipped just a month earlier. Two of those fixes are not theoretical. Both are already being used in live attacks, and neither carries the kind of headline severity score that typically triggers urgent attention, which is precisely the trap security teams need to avoid this month.

The first actively exploited flaw sits inside Active Directory Federation Services, the infrastructure that signs authentication tokens across an organisation's trust relationships. An attacker who already has some foothold inside a network can use the flaw to escalate straight to administrator level. The second sits in on-premises SharePoint Server, where a missing authentication check on a critical function allows an unauthorised attacker to elevate privileges remotely, without credentials and without any user interaction. Both have already been added to the US government's actively exploited vulnerabilities register, with remediation deadlines measured in days rather than weeks.

The timing compounds the SharePoint issue. The same week these patches shipped, SharePoint Server 2016 and 2019 reached the end of their extended support window, with no paid extension programme available to fall back on. SharePoint Server Subscription Edition is now the only self-hosted version still receiving full support, which leaves organisations still running the older branches facing both an active exploit and a support cliff at the same time.

A third, unrelated flaw affecting BitLocker's device encryption was also disclosed publicly this month, though it requires physical access to a machine and has not been observed in active attacks. It matters most for lost or stolen laptops and shared devices rather than as a remote threat.

Beyond the exploited pair, the release includes a striking concentration of critical remote code execution flaws: a near-maximum-severity escape vulnerability in the Hyper-V virtual switch that lets an attacker inside a virtual machine break out to compromise the host, a cross-site scripting flaw in Exchange Server capable of running malicious code from nothing more than a viewed email, and a chain of two SharePoint bugs, one already patched and one still awaiting a fix expected next month, that together could allow fully unauthenticated remote code execution once complete. Several critical flaws in Windows DHCP Server, historically a favourite target given how central the service is to network operations, round out the list of issues security teams should not wait on.

What makes this release genuinely difficult to manage is not simply its size. With this many critical and high-severity entries landing in a single cycle, a raw severity score stops being a reliable filter for what to fix first. The two actively exploited bugs here carry only moderate severity ratings on paper, and would have been easy to deprioritise under a scoring-only approach. The more resilient method is layered: patch anything already confirmed as exploited immediately, treat internet-facing identity and collaboration infrastructure as the next tier regardless of score, and use exploit-prediction data alongside official exploited-vulnerability registers to sort everything else, rather than relying on a single number to decide urgency.

There is also a structural story behind the sheer scale of this release. Microsoft has been open about deploying an AI-assisted vulnerability discovery system across its own codebase, and has said plainly that customers should expect materially larger patch volumes going forward as a result. That same dynamic, AI compressing the time between a flaw's discovery and a working exploit, is exactly the risk this outlet has tracked in relation to the systemic pressure AI-accelerated attacks place on shared financial infrastructure. Whether the discovery is happening on the defensive side or the offensive one, the practical result for enterprise security teams is the same: the old rhythm of a monthly patch cycle followed by a comfortable testing window no longer holds. For organisations already relying on continuous monitoring rather than periodic review, this is the kind of month that validates the investment, a case this outlet has made previously when examining why round-the-clock threat monitoring has become the backbone of enterprise defence across the region.

The practical order of operations for this month is straightforward even if the volume is not: patch identity infrastructure and internet-facing collaboration servers today, confirm the update actually installed rather than assuming it did, then work through the remaining critical fixes by exposure and business impact rather than by score alone.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Enterprise Patch ManagementZero-Day ExploitationIdentity Infrastructure Risk